12 Best Ways to Prevent Your Website from Getting Hacked

Google detected nearly 800,000 compromised websites last year—with roughly 16,500 new sites added to this list every week from around the globe. Cyber attacks are carried out for any number of reasons: data theft, negative SEO backlinking, denial-of-service (DoS), or even personal glory, to name a few.

Fortunately, the strongest website security measures boil down to a few core practices and principles. The following are the 12 best ways to hacker-­proof your website.

12. Enforce strong physical server security.

Source: Torkild Retvedt / Flickr Creative Commons.

Maintaining strong physical security is clearly a fundamental measure for keeping your website and its data safe. If hosting your own physical servers, ensure that proper physical access and visual surveillance is in place. If hosting through a cloud/web hosting provider, check the vendor’s website to verify that appropriate levels of physical security have been implemented in their data centers and facilities (e.g., biometric access, CCTV, motion detection).

11. Stay up-to-date with software updates and patches.

Any third party software products used to power your website—databases, web server software, content management systems (CMS)—are subject to continuous patching and updates from the vendor. Be sure to stay on top of these critical updates, especially for CMS packages like WordPress or Drupal. Unpatched software is a leading cause of outages and data breaches.

10. Use strong passwords.

Source: Automobile Italia / Flickr Creative Commons.

You’ve surely heard it before, but it’s worth repeating: strong passwords are a critical first line of defense against unauthorized access to your website and underlying systems. Typically, a strong password:

consists of at least 8 characters

does not contain your username, real name, company name, a complete word.

is different than previously used passwords

contains both uppercase and lowercase characters, numbers, and symbols.

9. Make sure any unused website resources are removed, if possible.

Source: Linux Screenshots / Flickr Creative Commons.

Un­used resources such as scripts or CMS plugins should be removed, as they could potentially be exploited by cyber attackers for gaining access to your website. Extraneous files (images, documents, text files) and databases should be removed if not in use.

8. Implement Google Webmaster Tools on your website.

Source: Searchengineland.com.

Google Webmaster Tools (GWT) will alert you immediately if your website is infected with malware. Additionally, since a compromise will likely result in negative SEO, monitoring your website’s performance with GWT will alert you of any potential security issues.

7. Configure GWT to send you automatic email notifications when issues are detected.

Source: Google Webmaster Tools.

By using GWT’s automatic notification feature, you will receive email alerts when

Free and low-cost tools exist for spotting vulnerabilities and security gaps in your website’s security: SUCURI, Acunetix, and Qualys, to name a few.

5. Use encryption for your web server’s files and databases.

Source: Linux Screenshots / Flickr Creative Commons.

These mechanisms ensure that data—even if stolen by cyber attackers—is rendered useless without possession of the appropriate digital key(s). Encryption should be used in critical web server files as well as databases.

4. Ensure that software version numbers and error messages are not visible by users.

Source: blog.qualys.com.

Website error pages usually display sensitive information about the web server, operating system, file paths, and more by default. You should therefore configure web servers and underlying components to never reveal this data to visitors.

3. Use two-factor authentication for your website’s login(s).

Source: Jonathan Molina / Flickr Creative Commons.

Two-factor authentication (2FA) is an extra layer of security that requires not only a password and username, but also data provided from a physical object in the user’s possession. Many CMS packages like WordPress and Drupal support 2FA.

2. Disable any file upload capabilities.

Source: code.msdn.microsoft.com.

Allowing users to upload files poses a significant security risk to your website. If file uploading is necessary, be sure to implement filters and controls that only accept certain file types uploads from users.

1. Implement SSL on your website.

Source: Sean MacEntee / Flickr Creative Commons.

Secure sockets layer (SSL) is not only critical for website security—Google will penalize your website and its SEO ranking for not using it. Because it encrypts all web traffic between the web browser and website, SSL prevents login credentials and other sensitive data from being usable by hijackers.

In short, the sad reality is that most websites will fall victim to cyber attacks or data breaches. The preceding 12 measures cover website security basics; as such, your efforts should not be limited to these efforts, but should entail a comprehensive security framework to include all your systems and IT data assets.